Big vulnerabilities in China’s mandatory filtering software

The Chinese government is pressuring hardware manufacturers to preinstall …

Recent reports indicate that the Chinese government is planning to extend the reach of its Internet censorship efforts. The government's massive back-end filtering system, referred to satirically in the west as the Great Firewall of China, will soon be augmented by client-side filtering tools that the Chinese government is pressuring hardware manufacturers to ship with new computers.

The filtering software, which is called Green Dam, is designed to analyze the user's network traffic and block material that is politically sensitive or adult in nature. Security researchers at the University of Michigan analyzed the software and have discovered a number of extremely serious security vulnerabilities. They say that malicious websites can take advantage of the security bugs to run arbitrary code on the user's computer.

The report also provides insight into the scope of the filtering system's functionality, resolving many of the ambiguities that existed in previous reports about the technology. The software includes image, text, and URL filters. The researchers say that the image filtering system, which is designed to filter out pornographic material, leverages the open source OpenCV imaging library to detect images with significant areas of skin tone.

The text filtering system operates by matching against word lists and also includes a text analysis algorithm. The filtering system will automatically terminate programs when the forbidden words are detected. The researchers say that a large volume of the contents of the blacklists have been taken verbatim from commercial filtering programs that are sold in the United States, including CyberSitter.

The researchers were able to exploit a buffer overflow vulnerability in the filtering software's URL analyzer. Because the filtering system hooks itself into the network stack at a relatively low level, these vulnerabilities are said to be exploitable in virtually all browsers.

"We discovered programming errors in the code used to process web site requests. The code processes URLs with a fixed-length buffer, and a specially-crafted URL can overrun this buffer and corrupt the execution stack," the report says. "Any web site the user visits can redirect the browser to a page with a malicious URL and take control of the computer."

The researchers also discovered a troubling vulnerability in the mechanism that parses the banned word files. This is especially problematic because the program is designed to support automatic updates of URL blacklists and banned words directly over the Internet. The maker of the software (or whoever controls the updates) could potentially deploy a malicious update file that exploits the vulnerability, thus giving them the ability to take control of the user's computer.

These problems demonstrate the risk of broadly deploying state-enforced censorship software. If the filtering software were sufficiently pervasive, automated exploits would be able to turn the whole country into a giant botnet practically overnight.

"If the filtering software were sufficiently pervasive, automated exploits would be able to turn the whole country into a giant botnet practically overnight."

So? I said it on Slashdot but I'll repeat it here. China is so poorly connected within in China and to the outside world that the whole country could be blackholed easily. A massive Chinese botnet is a non-issue. In fact, if a huge botnet tried to send traffic out of China it might "melt" the filtering system they have setup. I think it would be much more troubling if American companies complied with the request to install censor-ware not because of the botnet potential but because, I don't know, it's CENSORSHIP? Jeez.

In the past it seems the Chinese people don't really care about censorship. So, I think the software a non-issue for them. So, the botnet is a non-story and the censorship is a non-story unless like me you believe censorship is inherently wrong. On the other hand if the Chinese don't really care, then why should I lest I be accused of cultural imperialism?

P.S. Why do Communists care about pr0n? I don't get it. I guess it's about control.

So, the Chinese are stealing any piece of software that isn't nailed down to create a buggy, weaksauce censorship tool to oppress their people? Based on this evidence we shouldn't be worrying too much about Chinese cyberwarfare, eh? Just give them some bug-and-trojan-infested code libraries for their censorship programs and they'll slit their own throats in short order.

"Why do Communists care about pr0n? I don't get it. I guess it's about [libido] control." Too many Chinese already.

Originally posted by divisionbyzero:A massive Chinese botnet is a non-issue. In fact, if a huge botnet tried to send traffic out of China it might "melt" the filtering system they have setup. I think it would be much more troubling if American companies complied with the request to install censor-ware not because of the botnet potential but because, I don't know, it's CENSORSHIP? Jeez.

This is an important comment. But not why you said it. While we have firm beliefs in the freedom of speech here in the US, applying our moral filters to the rest of the world is part of the reason the rest of world doesn't like us very much. Further, multinational corporations serve their customers according to the laws of the land within which the customer resides. You can't claim they can do otherwise, as they would be evicted from the country otherwise. Look at it this way: Chinese companies do business in the US, according to US rules and laws. Do you feel they should apply Chinese rules and laws to their business here? Yet you want US companies to there. Does the phrase "double standard" mean anything to you?

I don't support censorship, I don't support this filtering software (or any filtering, for that matter), but we have to bow to the realities of different cultures having different laws. It is worth noting however that the Chinese citizens are overwhelmingly against this, based on numerous polls about the topic.

quote:

Originally posted by divisionbyzero:So? I said it on Slashdot but I'll repeat it here. China is so poorly connected within in China and to the outside world that the whole country could be blackholed easily.

Blackholing an entire country is tantamount to an act of war. Or terrorism. It's also not as easy as you'd think. Remember when Pakistan attempted to just block youtube? The whole country went down, along with lots of other random networks. And that was just the youtube netblock being blackholed. Routing infrastructure is very delicate, and you have to extremely careful with your filters, especially as there are multiple netblocks used in multiple countries, or even worse, Chinese routers provide transit to non-chinese netblocks. You going to punish them, as well?

Also, I intentionally reversed the order of quotes to point out the irony of your statements. Don't censor, but piss us off, we black hole your entire country!

Originally posted by divisionbyzero:P.S. Why do Communists care about pr0n? I don't get it. I guess it's about control.

Typically, these toleration countries, e.g. North Korea, Burma(Myanmar), etc, tend to be very socially conservative and as such tend to try and control public morals. I think though, that while sexual censorship is at the forefront, this p0rn thing is a red herring and the real job of the Green Dam is political censorship. Control in the 1984 sense. If you control the input of sources of information for a long enough time your citizens will have no reason to think differently than the official versions. The question is will this filtering software be persuasive enough to filter out enough conflicting information so citizens will have no options to official policy? Probably not, and I would guess that 1984 type censorship is impossible without much more draconian methods.

I chatted about this "new" software with some Chinese software guys today, and they related some pretty dirty puns in Chinese (Chinese is much punnier than English) based on the name. So it's already an object of severe ridicule in China.

This post (from Imagethief, not me) is a good summary of how most intelligent "China observers" view the issue: http://is.gd/ZZXV

Obviously you didn't read my whole post. I basically agree with you. Did I say we should make it illegal for American companies to install it? No. They will do it and I won't like it, but that's my right. I am entitled to believe that freedom of speech is not only good law but a human right. You'll also notice I said that enforcing this belief on the Chinese (not sure how that would work) would be an act of cultural imperialism. So, save your condescending and presumptuous comments for someone else. Thanks.

quote:

quote:

Originally posted by divisionbyzero:So? I said it on Slashdot but I'll repeat it here. China is so poorly connected within in China and to the outside world that the whole country could be blackholed easily.

Blackholing an entire country is tantamount to an act of war. Or terrorism. It's also not as easy as you'd think. Remember when Pakistan attempted to just block youtube? The whole country went down, along with lots of other random networks. And that was just the youtube netblock being blackholed. Routing infrastructure is very delicate, and you have to extremely careful with your filters, especially as there are multiple netblocks used in multiple countries, or even worse, Chinese routers provide transit to non-chinese netblocks. You going to punish them, as well?

Also, I intentionally reversed the order of quotes to point out the irony of your statements. Don't censor, but piss us off, we black hole your entire country!

Again, you are confused. I am aware of everything you said. It's done on a small scale all of the time. It would be fine. Anycast might get hosed but it's not clear why anyone would attack from an anycast address. Of course, the attacks could just spoof all of the addresses with ones outside of China but that's a different issue. It's not an act of war. It's network management.

There is no irony here. See my comments above about condescension and presumptuousness.

Originally posted by divisionbyzero:P.S. Why do Communists care about pr0n? I don't get it. I guess it's about control.

Typically, these toleration countries, e.g. North Korea, Burma(Myanmar), etc, tend to be very socially conservative and as such tend to try and control public morals. I think though, that while sexual censorship is at the forefront, this p0rn thing is a red herring and the real job of the Green Dam is political censorship. Control in the 1984 sense. If you control the input of sources of information for a long enough time your citizens will have no reason to think differently than the official versions. The question is will this filtering software be persuasive enough to filter out enough conflicting information so citizens will have no options to official policy? Probably not, and I would guess that 1984 type censorship is impossible without much more draconian methods.

Ah, I see. It's misdirection. Tell people it will block something they as a culture find offensive and block something the government finds offensive at the same time. Clever.

I have a question that I don't think I have seen asked let alone answered anywhere. So the Chinese Gov is pushing to get this software preinstalled on new PCs, are they also making it illegal for the end user to remove it? It would be a pretty large loophole in their scheme if I could just uninstall the software from my new computer or format the drive and install the OS clean. Unless the Chinese Gov is going to make it illegal to connect a computer to the internet in China without this software installed I suspect this scheme is doomed to failure. Of course, I would be entirely and completely unsurprised if the Chinese Gov did end up taking that route.

Let's see ... buy a comp from a gov't-sponsored builder who's putting all kinds of roadblocks in the way, or buy a comp from a triad-sponsored black market builder for 1/2 price with software on it that let's me penetrate the firewall and surf anon.

From the article:If the filtering software were sufficiently pervasive, automated exploits would be able to turn the whole country into a giant botnet practically overnight.

Um, why are we studying and reporting instead of studying and quietly being the first to exploit it? A massive botnet that quietly keeps itself updated until called upon to begin the Rise of the (Chinese) Machines seems like just the thing. Or maybe these millions of rooted machines could each make micropayments on US debt or order good manufactured overseas (i.e. here).

quote:

Originally posted by ReaderBot:If your porn is resulting in reproduction, you're using it wrong.

What if your porn is used in conjunction with an actual person of the opposite sex? Maybe not so wrong after all.

quote:

Originally posted by newwb:How would examining images for skin tones be able to differentiate a vagina from an image of a medical skin condition?

Pretend I either made an awesome joke claiming "Vagina=Skin Condition" or else said something to the effect of "Geeks can't differentiate those anyways, so best to block both..." but snappier.

Originally posted by Kommet:Pretend I either made an awesome joke claiming "Vagina=Skin Condition" or else said something to the effect of "Geeks can't differentiate those anyways, so best to block both..." but snappier.

The researchers say that the image filtering system, which is designed to filter out pornographic material, leverages the open source OpenCV imaging library to detect images with significant areas of skin tone.

So furries will slip right through then?

quote:

Why do Communists care about pr0n? I don't get it. I guess it's about control.

Originally posted by newwb:How would examining images for skin tones be able to differentiate a vagina from an image of a medical skin condition?

Apropos of nothing, but actual human skin tones have a very narrow range of hues (we vary in saturation and lightness, but not hue).

So, actually lots of skin conditions wouldn't trigger a skin tone filter, because they actually result in the hue of skin changing (which is why they're so freaky-looking; skin outside of the proper hue can be viscerally umpleasent to look at).

China has only 2 choices: (1) Live with the existing Internet issues and do whatever other governments are doing to filter it the best they can. It is NEVER going to be lock-tight the way they wanted: live with that.(2) Disconnect from the existing Internet and build whatever they can and gateway using one interconnect with the existing internet (if they wanted). Yeah, leaky point for malware and bad elements. IF they can, build their OWN internet and control it however they waned. I am assuming using their own technology (if they can muscle it).

Option 2 is NOT viable as we can see becuase it will take them 10-20 years to do and by then, they will be the "technological back-wash of planet earth".

Originally posted by xister:The censorship angle does seem futile. The Imagethief link was pretty good analysis. Adding to the fact the NYT article says the Chinese gov will only provide the software free for one year, after that you have to purchase it and the software either comes pre-installed or on disc depending on parent's choice the point of censorship seems moot, just don't install it or uninstall it...

There are two forms of modern secular government that seem to have staying power that grew out of events in the 1800's.

One is a federal government that tries to to be open, avoids censorship and controlling the society too much. The leaders opperate under restrictions and scrutiny. A democratic nation.

The other is a totalitarian regime that keeps tight control over it's citizens behavior, economics of the nation, and does everything it can to control information, religious, and political discussion/activities. Up to and including torture and executions. The communist regime.

Most of us is from the former, China is of the later.

They can not continue to function without the ability to control the information that is fed to their people. So they really don't have a choice.

I expect that the combination of imprisonment, spying, and mutliple layers of filtering is pretty effective. Generally speaking if you keep people fed (as in food, fed) most people are not going to really care a whole lot about fighting their circumstances. The people that do care will rarely risk imprisonment to work around the filters.

Then the tiny minority of curious people that do find out what the government is trying to hide can't actually do anything or act on that information. If they do try to talk to other people or act on any information that they gained then they will be almost certainly turned into the state since citizens are trained and educated to spy on one another and are rewarded by society for turning people in.

It's actually very effective form of control and has shown to have real lasting power.

Oh, wait? Am I imposing my western morals on Chinese government? Oh, noes I may garner mild resentment from people who are not allowed to know about anything I have just talked about.

While we have firm beliefs in the freedom of speech here in the US, applying our moral filters to the rest of the world is part of the reason the rest of world doesn't like us very much.

That is also an important comment, but not for the reason you mention. Firstly, equating the occasionally conservative views some Americans have as forcing morality on other countries is not something to be confused with basic human rights, something for which China is often guilty of violating... horribly. Things like limiting child population might seem cruel to some - but given the state of of food consumption, space, etc., this is a move of common sense. For Chinese celebrities to pretty much have their careers be over if they engage in extramarital affairs is more of a cultural difference than a more black and white "right / wrong" kind of issue. China telling people what they can and cannot say, with whom they can socialise and how far they can reasonably express themselves - even far from the realm of violent and active dissent - is not such a grey area. And one doesn't need to be an American to think so. The fact that their own people by and large feel oppressed (something I know from a pretty decently sized sample of CHinese people from different independent circles who claim to be the case) tells me that America wanting Chinese people to have freedom of speech is not something which makes the general population of China not like the USA very much.Secondly, and you know "the rest of the world" doesn't like the USA very much? Really? How many other countries have you lived in where you met people who share this general sentiment. I have spent nearly 1/3 of my life OUTSIDE the USA (and I'm in my mid 30s) and have found most people to actually like the USA. True, I haven't spent any considerable time in the Mid-East or Africa, but countries in Europe and Asia *ARE* part of the rest of the world.

quote:

Further, multinational corporations serve their customers according to the laws of the land within which the customer resides. You can't claim they can do otherwise, as they would be evicted from the country otherwise.

Yeah, because there's *NO* corruption in China. We know this because the news has never mentioned it. Law of the land can't be overturned. In fact, the Chinese government itself never does anything against its own people which is in violation of its own rules.

quote:

Look at it this way: Chinese companies do business in the US, according to US rules and laws.

Good thing espionage is legal in the US, right?

quote:

...we have to bow to the realities of different cultures having different laws. It is worth noting however that the Chinese citizens are overwhelmingly against this, based on numerous polls about the topic.

Doesn't the attitude of citizenry essentially carry the principal weight of culture? If the citizens are against it, wouldn't it be because culturally they deem it unjust? Therefore wouldn't the law be deemed unjust?

I am shocked and surprised that a free and open nation like China would put software on peoples computers that could be exploited to do things like install key loggers or screen capture. I am not that concerned about China having a national bot net. China has such a low population that only a few people would be infected (I think I read somewhere that all of China shares one IP address. The router is located in some old lady's house. [If the cable company ever finds out the entire country could be in a great deal of trouble.]).